#IstioCon Istio Architecture Connect, secure, control, and observe services. #IstioCon Security Architecture #IstioCon Bookinfo architecture without service mesh ● Reviews-v1 ○ doesn’t call accept only plain text ● UNSET: inherit from parent, default to PERMISSIVE if no set apiVersion: "security.istio.io/v1beta1“ kind: "PeerAuthentication“ metadata: name: "demo-peer-policy“ namespace: "default“ gateway Access productpage #IstioCon Authorize ingress traffic with JWT token apiVersion: "security.istio.io/v1beta1“ kind: "RequestAuthentication“ metadata: name: "jwt-example“ namespace: istio-system

};f # WARNING: Don't try this! Things We Have Done 1. Hardware Isolation 2. Security Tools - SELinux, Seccomp, AppArmor, Capabilities, Cgroup 3. Intrusion Detection - Monitor suspicious nginx EOT Rust- VMM Demo Future Works • Extend Rust-VMM to support networking and storage • Security policy integration • Develop a new fully Rust-based runtime for edge computing • Support live migration

Microkernel Overview I. Background  https://en.wikipedia.org/wiki/Microkernel Security I. Background  Difference Between Microkernel and Monolithic Kernel: Source: https://www with usermode VMMs Source: https://sel4.systems/About/seL4-whitepaper.pdf 1.2.1.3 Provable Security I. Background  .  https://docs.sel4.systems/projects/l4v/ https://github

should happen … including some standard ones: an event loop, portable access to the system execution context, nursery for spawned work4 P2300: STD::EXECUTION Proposes: • A set of concepts that represent: std::move(work) ).value(); } Launch three tasks to execute concurrently on a custom execution context libunifex: https://github.com/facebookexperimental/libunifex7 EXAMPLE: LAUNCHING CONCURRENT WORK return compute_intensive(2); }) );14 Example 2: Transitioning execution context15 EXAMPLE: TRANSITIONING EXECUTION CONTEXT namespace ex = std::execution; ex::sender auto accept_request(); ex::sender

analysis Fraud & spam detection DDoS protection Application performance monitoring Logs & metrics Security events and logs. SIEM Analytics of corporate networks Telemetry Industrial monitoring Sensor data

run steady and persistent nodes for this platform? Two Major Problems ➔ End user drives, no security (or token fund) drives. ➔ Network is like a living creature, it will evolve – grow or die. The

need… • a Service Mesh, but to secure it I need… • an automated Certificate Authority, and for more security I need… • a Container scanning and monitoring service, and to monitor it more I need… • a Log Aggregation

O p s / 平 台 运 维 • I T / 基 础 设 施 • 测 试 / 安 全 团 队 持续测试 (Continuous Testing) 持续安全 (Continuous Security) 软件研发核心工程实践：交付工程 CI/CD 开发者实践 软件研发核心工程实践：全流程质量工程实践 - 持续测试 CT/ 持续安全 CS 协 同 特 点 ： • 流 程 可 定 义

return f(i) + 1; // immediate function context } else { return 42; } } consteval int h(int i) { return f(i) + 1; // immediate function context }16 Agenda  C++23 Core Language  Explicit

模块能自动识别 [] 位于等号左侧还是右侧，分成两个独立的函数 。 • 如果等号在左侧，则被他的 ast 模块视为写入上下文（ store context ），翻译成 __setitem__ 。 • 如果等号在右侧，则被他的 ast 模块视为读取上下文（ load context ），翻译成 __getitem__ 。 • 也就是说 Python 的 [] 其实是调用了两个不同的运算符重载： • m[key]